KYC providers once built biometric stacks to differentiate. As deepfakes, injection attacks and certification regimes mature, biometrics is becoming regulated infrastructure — forcing a choice between building, partnering and acquiring.

TL;DR — In a nutshell

For years, biometric verification sat inside the KYC product roadmap as a strategic feature: face match, liveness, document capture, risk scoring, fallback review. Building it internally felt like differentiation. That logic is changing. AI-generated deepfakes, biometric injection attacks, tougher testing expectations and eIDAS 2.0 readiness are turning biometrics into a continuous compliance and threat-research programme.

The new question for KYC and digital identity providers is not whether they can build biometric capability. It is whether owning the biometric layer still creates enough defensible value to justify the certification burden, model maintenance, attack research, audit exposure and platform risk. In many cases, the stronger strategic move may be to specialize in orchestration, customer experience, policy logic and vertical workflows, while accessing certified biometric capability through a commercial partnership. In other cases, where the right strategic target exists, the best answer may be acquisition: buying not merely a vendor integration, but the biometric infrastructure, privacy-preserving biometric persistency and fraud-protection primitives that will become a strategic portion of the KYC value chain.

The feature that quietly became infrastructure

A few years ago, building biometrics in-house made strategic sense for many KYC providers. It gave vendors more control over onboarding flows, enabled tighter integration with document verification, and created a visible point of differentiation in sales conversations. A provider could say: we own the capture experience, we own liveness, we own face matching, we own the fraud signals.

That worked while biometric risk was still treated mostly as a product-performance problem. The internal questions were familiar: is the face match accurate enough, does the user pass quickly, how many false rejects do we tolerate, what happens when lighting is poor, can we reduce manual review? These were hard questions, but they were manageable within the normal rhythm of product and machine-learning teams.

The environment is different now. Biometrics is becoming adversarial infrastructure. Attackers are no longer limited to printed photos, replayed videos or crude masks. They can generate synthetic faces, manipulate capture streams, bypass cameras through virtual devices, inject media directly into the verification workflow, and iterate quickly against consumer-facing onboarding journeys. The biometric layer is no longer just deciding whether two faces match. It is deciding whether the evidence itself can be trusted.

That changes the economics of ownership.

Deepfakes did not just raise the threat level. They changed the operating model.

The deepfake discussion is often framed as a problem of better fake faces. That is only part of it. The more important shift is that generative AI has lowered the cost of producing convincing, scalable identity evidence. Fraud no longer depends only on one skilled operator preparing one attack. It can be industrialized, localized, automated and adapted.

For a KYC provider, that means biometric defense is not a one-off model build. It becomes a permanent programme: red-team testing, threat intelligence, dataset refreshes, attack taxonomy updates, injection-path analysis, certification maintenance, incident response, quality monitoring, and customer-specific configuration. A biometric stack that was once a product asset now behaves more like a security operations function.

This is where the build-vs-buy question becomes uncomfortable. Internal biometric teams can be excellent and still be structurally disadvantaged if they must absorb the full cost of threat research, independent testing, standards interpretation and certification for only one platform. Specialist biometric providers can spread those costs across many customers and many attack attempts. They see more fraud patterns, test more edge cases, and justify deeper investment in certification because it is their core business.

The strategic question becomes: does owning the biometric layer make the KYC platform more valuable, or does it quietly turn the company into a biometric security lab?

Presentation attacks and injection attacks are now separate board-level risks

The older mental model of biometric fraud focused heavily on presentation attacks: a person presents something to the capture sensor that is not the genuine live user. That might be a printed face, a screen replay, a mask or another artifact. Presentation attack detection is the world of liveness, spoof resistance and ISO-style evaluation.

That remains essential. ISO/IEC 30107-3 establishes principles and methods for evaluating presentation attack detection mechanisms, including reporting and known attack classification. It is not a marketing badge; it is a way of asking whether a PAD system has been tested under a recognized methodology rather than merely claimed by a vendor.

But injection attacks are different. In an injection attack, the attacker may not present anything physically to the camera at all. Instead, they replace or modify the biometric sample somewhere in the digital evidence path. A virtual camera, API manipulation, hooked function, compromised app environment or intercepted media stream can make a verification system believe it is receiving genuine camera evidence when it is actually receiving controlled synthetic input.

That distinction matters because a KYC provider can have a good face matcher and still be vulnerable if the evidence path is not protected. It can have liveness checks and still be exposed if the image or video stream is injected after the point where liveness assumptions are made. The security question moves from “is this a live face?” to “is this a live face captured through a trusted path from the claimed device and session?”

CEN/TS 18099 addresses this emerging gap by defining a framework for biometric data injection attack detection. ETSI TS 119 461 v2.1.1, the identity proofing standard relevant to trust service components, also explicitly reflects the growing importance of biometric injection attack prevention and detection. That is a major signal: high-assurance remote identity proofing is moving beyond basic liveness toward protection of the entire evidence collection process.

Compliance is becoming continuous, not episodic

This is the point many build-vs-buy analyses underestimate. The cost of biometrics is not only the cost of model development. It is the cost of proving, repeatedly, that the system remains resistant to the attack landscape regulators, auditors, customers and standards bodies now care about.

A KYC provider that owns its biometric stack must increasingly think about:

• ISO/IEC 30107-3 testing for presentation attack detection.
• CEN/TS 18099 readiness or certification for biometric injection attack detection.
• ETSI TS 119 461 alignment for trust-service identity proofing and eIDAS 2.0 readiness.
• Continuous monitoring of new deepfake and media-injection techniques.
• Model and policy updates that do not break legitimate-user conversion.
• Evidence that controls work across devices, browsers, mobile apps and capture channels.
• Customer audits that ask not only “does it work?” but “who tested it, against what, and when?”

This is not a normal feature backlog. It is a regulated assurance programme with technical, legal and reputational consequences.

eIDAS 2.0 makes that direction even clearer. Regulation (EU) 2024/1183 establishes the European Digital Identity Framework and expands the trust-services and wallet ecosystem. In that environment, remote identity proofing and onboarding components will be judged not only by user experience but by assurance, interoperability, certification and resistance to sophisticated fraud.

For KYC providers serving banks, fintechs, telcos, marketplaces, mobility platforms or regulated digital services, the commercial implication is direct: customers will increasingly expect evidence of biometric security controls that internal product teams cannot simply assert. They will ask for certification, independent testing and alignment with recognized standards.

We have seen this movie before

Industries often begin by building core infrastructure internally because the market is immature, vendor options are weak, and differentiation feels obvious. Then, as the domain matures, the infrastructure becomes too complex, too regulated or too expensive for every company to maintain alone.

Payments companies stopped trying to own every part of payment infrastructure. Cybersecurity vendors do not all build their own threat-intelligence networks from scratch. Identity providers increasingly rely on orchestration layers rather than maintaining every integration directly. Cloud infrastructure itself is the most obvious example: companies still differentiate through software, data, trust and customer experience, but few believe they create value by operating every primitive layer themselves.

Biometrics may be entering the same phase.

The first generation of KYC differentiation was about having biometrics. The next generation may be about knowing where biometrics should sit in the architecture — and whether it should be accessed through partnership or owned through acquisition. The winning platforms may not be the ones that organically build every model, every liveness control and every injection defense internally. They may be the ones that combine certified specialist biometric components with superior policy design, customer workflows, orchestration, risk intelligence and privacy architecture. For some, that combination will come through a commercial partnership. For others, the strategically correct move will be to acquire the biometric layer and turn it into a proprietary infrastructure advantage.

This does not mean biometrics becomes unimportant. It means it becomes too important to be treated as a side feature.

The real build-vs-buy question is not technical capability. It is strategic focus.

A strong engineering team can build face matching. It can build a liveness flow. It can integrate document capture, fallback review and risk scoring. The problem is that the bar keeps moving.

If the biometric layer is built internally, the provider must keep pace with deepfake evolution, injection tooling, device compromise patterns, standards updates and audit expectations. It must maintain datasets, testing environments, adversarial research, certification relationships, customer evidence packs and operational playbooks. It must do this while also building the rest of the KYC platform.

That may still make sense for some companies. A hyperscale identity provider with a massive research budget, large fraud telemetry, and biometrics as a strategic core may choose to own the layer. A government identity programme may have sovereign control requirements. A vertically integrated platform may have a justified reason to treat biometrics as proprietary infrastructure.

But many KYC providers should be more skeptical. The decision should not be based on engineering pride or historical architecture. It should be based on a sober answer to one question: does owning biometrics create enough unique customer value to offset the cost, liability and complexity of remaining independently excellent against the newest attacks?

If the answer is no, the next decision is not simply “outsource or keep building.” Buying can mean two very different things. It can mean a commercial partnership with a certified specialist provider, preserving speed and flexibility while reducing internal certification and threat-research burden. Or, when the target is strategic enough, it can mean acquisition — owning the biometric infrastructure without carrying the time, execution risk and opportunity cost of building it from zero.

That is the best-of-both-worlds version of buy: optimize long-term cost, accelerate assurance maturity, and still own a strategic portion of the KYC value chain. In that model, the acquired asset is not merely face matching. It is the infrastructure for biometric evidence collection, privacy-preserving persistency of biometric identity, and the security primitives that protect against presentation attacks, injection attacks, deepfakes and future fraud methods.

What KYC providers should evaluate before deciding

The decision should start with risk, not procurement. A KYC provider should map where biometric evidence enters the system, where it can be manipulated, how liveness is evaluated, whether the capture path is protected, what certification exists, how frequently the controls are retested, and how the provider would respond if a customer asks for proof of resistance to injection attacks.

The most important evaluation questions are practical:

• Is our biometric stack independently tested for presentation attack detection?
• Do we have credible injection attack detection across the full evidence path?
• Can we explain the difference between PAD and IAD to a regulator or tier-one customer?
• Do we have ETSI TS 119 461 readiness for identity proofing use cases linked to trust services or eIDAS 2.0?
• How quickly can we update models and controls when attack methods change?
• Are our fraud telemetry and R&D budget large enough to compete with specialist providers?
• Does owning this layer help us win deals, or does lack of certification increasingly put deals at risk?

These questions often reveal that the biometric stack has outgrown its original purpose. What began as a differentiating feature becomes a liability if it cannot be continuously validated.

They also reveal which form of “buy” makes sense. If biometrics is important but not central to the provider’s long-term control point, partnership may be the right answer. If biometrics is becoming central to future KYC defensibility, customer trust, margin structure, regulatory assurance and platform valuation, acquisition deserves serious consideration. A KYC provider that acquires the right biometric infrastructure can preserve strategic ownership while avoiding years of duplicate R&D, certification catch-up and adversarial trial-and-error.

Privacy changes the answer again

There is another dimension to the build-vs-buy decision: biometric architecture is not only a fraud-control issue. It is also a privacy issue.

As biometric systems become more central to onboarding, authentication and wallet binding, the question is not merely whether the face match is accurate. It is where biometric data is processed, whether reusable templates are stored centrally, how they are protected, who can access them, and whether the system creates a biometric honeypot that would be catastrophic if compromised.

A partner-based approach is only attractive if it improves both security and privacy. Outsourcing biometrics to a vendor that centralizes sensitive biometric data without strong privacy-preserving architecture may simply move the risk rather than reduce it. The same is true for acquisition: buying a biometric company only creates durable strategic value if the acquired architecture is aligned with the future of privacy-preserving identity. The stronger direction is specialist biometric capability combined with decentralized, privacy-preserving design: systems that prove the rightful person is present without creating unnecessary centralized stores of biometric identifiers.

This is where Youverse’s positioning matters. Youverse’s identity verification, biometric authentication and liveness capabilities are designed around the idea that trust should not require turning biometric identity into a centralized liability. The architectural direction is to bind credentials and authentication events to the rightful person while preserving privacy, resisting presentation attacks and injection attacks, and supporting high-assurance digital identity flows.

That is not just a product preference. It is where the market is heading: security evidence, certified controls, and privacy-preserving identity architecture in the same stack.

The future KYC stack will be more modular, but not less accountable

A common objection to buying biometric capability is loss of control. That is understandable. KYC providers are judged by their customers on onboarding completion, fraud rate, compliance evidence, audit outcomes and user experience. They cannot outsource accountability. But the objection is incomplete, because “buy” does not have to mean permanent dependency on an external supplier. It can also mean acquiring the capability and making it part of the platform’s core infrastructure.

But modularity does not remove accountability. It changes how accountability is managed. In a partnership model, the KYC provider owns vendor selection, architecture, integration quality, fallback logic, evidence governance, customer transparency and risk monitoring. In an acquisition model, the provider goes further: it internalizes the biometric infrastructure layer while inheriting specialist research, certification maturity, fraud telemetry, security primitives and privacy-preserving biometric persistency.

This is a better framing of control. The objective is not ideological ownership of every codebase. The objective is control over the assurance architecture, cost curve and strategic trust layer.

The strongest KYC platforms will likely be those that understand where to differentiate, where to partner and where to acquire. They will differentiate in vertical knowledge, risk policy, customer experience, case management, orchestration, regulatory workflows and data intelligence. They will partner where speed, specialization and certification scale matter more than ownership. And when biometrics is identified as a strategic control point, they may acquire the capability to own a critical portion of the value chain rather than rent it indefinitely.

Conclusion: biometrics is becoming too important to be treated as a feature

The KYC industry used to ask whether biometrics should be part of the onboarding flow. That question is settled. The harder question is who should own the biometric trust layer, and under what assurance model.

Deepfakes, injection attacks, PAD testing, IAD certification and eIDAS 2.0 readiness are pushing biometrics out of the product-feature category and into the category of regulated security infrastructure. Once that happens, build-vs-buy analysis changes. The issue is no longer whether an internal team can build something that works. It is whether the organization can continuously prove that it works against the attacks, standards and audits that now define trustworthy identity verification.

For many KYC and digital identity providers, the future will not belong to platforms that organically build every layer of the stack. It will belong to platforms that know exactly where they create value, where specialization matters, where partnership reduces risk without compromising trust, and where acquisition is the more strategic form of buying because it locks in long-term control of biometric infrastructure.

Biometrics may be next in the long list of infrastructure layers that began as differentiation and became too critical to build casually — and too strategic to leave outside the value chain when the right acquisition target exists.

FAQ

Why is biometrics becoming a build-vs-buy decision for KYC providers?

Because biometric verification is no longer just face matching or liveness. It now requires continuous defense against deepfakes, presentation attacks, injection attacks, certification expectations and regulatory scrutiny.

What is the difference between PAD and IAD?

Presentation attack detection focuses on detecting fake physical or displayed presentations to the sensor, such as masks, prints or replayed screens. Injection attack detection focuses on attacks that replace or manipulate the biometric data stream before it reaches the verification system.

Why does ISO/IEC 30107-3 matter?

ISO/IEC 30107-3 provides principles and methods for evaluating presentation attack detection mechanisms. It helps customers and auditors distinguish tested PAD capability from unsupported vendor claims.

Why does CEN/TS 18099 matter?

CEN/TS 18099 addresses biometric data injection attack detection. This matters because modern deepfake and fraud attacks can bypass the camera entirely by injecting synthetic or manipulated media into the evidence path.

How does ETSI TS 119 461 affect KYC providers?

ETSI TS 119 461 is relevant to identity proofing for trust service components and eIDAS readiness. It raises expectations around security controls, including protection against presentation and injection attacks in high-assurance remote identity proofing.

Does buying biometrics mean losing control?

Not necessarily. Buying can mean a commercial partnership, where control shifts to selecting and governing certified specialist controls. It can also mean acquisition, where the KYC provider owns the biometric infrastructure while gaining specialist maturity faster than building from zero.

Should every KYC provider stop building biometrics internally?

No. Some providers should keep building. Others should partner. And some should acquire. The right answer depends on whether biometrics is a strategic control point, whether the internal team can keep pace with threats and certification, and whether an acquisition target can optimize long-term cost while securing ownership of the value chain.

What should KYC providers look for in a biometric partner or acquisition target?

They should look for independent testing, PAD and IAD capability, clear certification evidence, privacy-preserving architecture, persistent biometric identity without centralized honeypots, strong integration options, rapid threat response and credible support for high-assurance identity use cases.